cyber security

Cyber security tips for small business

Olivia Pearce — Mon, 12 Aug 2024 01:19:05 +0000

Cyber security tips for small business Olivia Pearce Mon, 08/12/2024 - 11:19

31 July 2024

Australian Small Business and Family Enterprise Ombudsman Bruce Billson interview with Tim Webster.

ABC Radio Sydney

Subjects: ransomware attacks on small business, cyber security tips for small business, insolvency concerns, business continuity planning, changes to privacy laws, energising enterprise, Carly Simon, Warren Beattie, Mick Jagger and James Taylor

Tim Webster

Australian businesses are paying untold amounts of ransom to hackers, but neither the government or the public actually knows how much. That's interesting. The Cyber Security Act, which is yet to be unveiled, would force Australian businesses and government entities to disclose the payments or face fines expected to be brought before the parliament at the next sitting. So, how will small business deal with all of that? The Australian Small Business and Family Enterprise Ombudsman is Bruce Billson. He joins us from time to time and we love talking to him. G’day.

Bruce Billson

Great to be with you Tim. And I haven't heard that Carly Simon version either. Everyone remembers that Coming Around Again that was in that Heartburn movie, and, of course, You're so Vain. I mean, that doesn't apply to anyone in this conversation, but that was a big hit.

Tim Webster

Certainly not. 1973 You’re so Vain. Well, the conjecture about who it was about, and I think she eventually said it was a conglomerate. Warren Beatty, Mick Jagger, of all the men she’s known.

Bruce Billson

Warren suffered from being a particularly handsome rooster. Who knows. But that’s not what's on our mind though. The pressures on small business.

Tim Webster

The Cyber Security Act. Now, that's an interesting piece of information. Untold amounts to hackers, but neither the government or the public knows how much. I imagine that's because business doesn't want them to know.

Bruce Billson

Yeah, it's a tricky one because most of the expert advice is don't pay for the ransomware to be released so you can get your data back. But, clearly, in some cases, businesses are making a commercial decision that rather than have the whole capability and their ability to engage in trade and vital data, there are reports that some actually pay the ransomware and then hope that the nefarious figures that are involved in cyber hacking then do the right thing and release their data.

It’s a bit of a contested space, but the expert advice is, overwhelmingly, don't pay the ransomware. But then the same experts are saying for us to be best placed to combat that kind of thing, we need to know what's going on. And therefore, you know, the information perhaps around who's doing the ransomware attack and what you may be asked to pay is something that's really important to those trying to defend us in this cyber security threatening world.

Tim Webster

I know it's a threatening world, but tell me, do you think it's fair to fine people for non-disclosure, whether its 15 grand or whatever it might be, because they’ve already been ‘got’, haven’t they?

Bruce Billson

I don't think it's fair for small business to face what could be a fine that, if it was applied to them, would cripple their business. At a time when small business people are so time-poor and margins are really squeezed, and we know nearly half aren’t profitable right now. If you're hit with a ransomware threat or challenge, I reckon you'd be pretty focused on trying to get your business up and going again. And one of the things that we're finding in this complicated, quite sophisticated regulatory environment, you might not even know to whom it is you need to report this breach, but you inadvertently break the law, and then you're faced with another crippling impact on your business.

We've been urging government to have, almost like an A-Team, that can get alongside small and family businesses that have a cyber event. Have them navigate that process, help them make sure they've got appropriate safeguards, but also help them recover on the other side.

I'd hate to see anything that discourage people reaching out for that help if they feared getting pinged with a fine. So, maybe if it's a bigger organisation Tim, and they've got, you know, technical experts and they know all the organisational structure that happens in this space. Maybe a more punitive response is arguable. A time-poor resource-stretched small business, I’m not so sure about that.

Tim Webster

We were, as you would know, a victim of that CrowdStrike. And it was incredibly dramatic here when you've got a studio full of blue screens. So, it's happening to everybody. Maybe more help from the government rather than hindrance from the government on cyber security?

Bruce Billson

That’s our view. Look, there's some encouraging signs there. In the last budget there was an announcement to set up a small business cyber resource hub. I'm optimistic about that. That's what we've been urging that the government does, so that there's a real sense that government is an ally for small business when getting through these terrible events. Not one where they’re fearful of raising these challenges and therefore not getting the help they want and they need, and then having that really impacting on that businesses opportunity to recover, to get its data back, get systems going and and focus on delighting customers. Not that there's some fine around the corner they might get spanked with.

Tim Webster

My texter – don't forget to put your name on the text so I could acknowledge who you are - but he or she basically says, more regulation and red tape on small business owners like myself. It's none of anyone's business what I pay and to who.

Bruce Billson

I think if you had this support posture, one of assistance rather than of compliance, you get small businesses saying, oh, hang on, this is a change in our economy. I really need to be tooled up and as well-equipped as I can be. And to have the resources of government there to assist in making sure you've got appropriate safeguards, good preventative steps. Good, dare I say data hygiene. Sorry for the jargon, Tim. That'd be great. Then if something happened, somebody can get alongside you to work out what you need to do to get through that event. And then some help on the other side getting back up and going.

I think that posture, so much better, so much more likely to get the right outcome that policymakers are hoping for, rather than having this big fine hanging over a small business for whom, if they pinged, they might not have even known they needed to take those steps and then that fine itself could bring them down as badly as perhaps the cyber threat did.

Tim Webster

Everyone's got so much to do, Bruce. Oh, you got pinged and you feel really guilty. But don't because there's so much of it around. I mean everyone's after your information, your money, every day of the week. I mean the amount of text you get, emails you get. You've going to be so vigilant these days.

And look, Jamie says this. Good point. Don't know why you'd pay the ransom. Couldn't the hackers just copy the information they'd hacked and release it anyway?

Bruce Billson

I'm kind of with Jamie. And I’m not discounting for one minute that a commercial decision is often what's guiding this. But I tell you what, if someone was nefarious enough to have a crack and compromised my system in the first place, if I handed over a substantial chunk of change in the hope that they then do the right thing. That's the thing that I'm wary about with paying ransomware. I would have imagined having good backups, you know, multi-factor authentication to sort of limit what's going on. For your listeners that are in business and maybe use digital platforms, and have a credit card attached to say their Meta Marketplace account, if that gets hacked, do what I do. I use a very low amount credit card for my online transactions. Thinking, you know, if someone does grab that data and has a crack at my credit card, if I can't go back to the people that should have guarded against that in the first place, I at least have kept the credit limit very low. And therefore, the harm to me is minimised.

So, for your listeners and businesses and even consumers that are dealing with those online transactions and having credit cards linked to the advertising spend on digital platforms, have a separate credit card with a really low credit limit on it and minimise that risk. Make sure you've got control over that account. If they've taken the account out and blocked you, make sure there's another way of verifying that you’re who you are. And if all else fails and you’re a small business, get on to us and we'll help out.

Tim Webster

Is that Cyber Security Act a fait accompli? Is that going to happen, or can you convince them to not do it?

Bruce Billson

It's still going through the Parliament, so there's plenty of opportunity for some of your texters and others that have raised some good views, to feed those in because it's really about right-sizing it Tim. You and I've talked about that before, but a small business isn't some shrink wrapped major corporation that's got, you know, technical expertise coming out of their ears. That's not right. It's mum and dad and committed enterprising men and women often doing compliance things 10 o’clock at night to try and make sure that the business of running the business is attended to while they also focus on what the future looks like for their business, how can they delight customers and maybe, you know, innovate to get better value for themselves and the people that rely on the business.

Tim Webster

Alright, let's leave that one. There's a few issues to deal with. A 50% increase in queries by small business about a business they're dealing with, possibly being insolvent or a concern about what to do if they're worried about their own place.

Bruce Billson

There's a couple of things happening here. What we are seeing is that really significant uptick in concerns. We're also seeing people checking on what are called credit reference platforms, where they check to see whether the business they are dealing with has some, let's use the word form of not always paying their bills and the like.

But also we're getting an increase in payment disputes even when work is carried out under the contract or the terms that were agreed. Just getting paid Tim, just getting paid is really a pain point. And when the cash flow is tight and when you see the Tax Office are up and about trying to make sure that people with outstanding tax liabilities are engaging with them. When margins are being squeezed, one of the things you see sometimes there’s this friction in just getting paid and the payment time blowing out. It's a real concern.

So, what we're saying to business is if you've got those concerns there are ways you can check, for small fee you can check on the credit record of those businesses. That doesn't mean don't do business with them. But if you and I were running an electrical business and at a subdivision out in western Sydney, in a growth suburb like that, we've got to spend a bit of money buying all the equipment, the substations. So, we're out of pocket already. And then there's our time and expertise. So not being paid, not only us not being rewarded for our work and our diligence, we're also carrying the costs of the equipment we've had to buy. And therefore, you might say to that that developer I want half that project cost as a down payment before I start, so that I can at least cover the costs of those outgoings for equipment. And when the job's done, I'll come and get the rest.

So, you might change your terms, the way in which you engage. But just making an informed decision about those things where we are seeing an uptick in these payment difficulties, we recommend that as part of your approach to your business.

Tim Webster

Louise from Inverell. Louise says, I've got a small limit on my credit card. I used to make jokes that I should keep it maxed out for safety's sake.

Bruce Billson

She raises an interesting point. It is about managing that risk. I mean, sadly, the experience that you've had in the studio and some of these cyber events, I don't think they're the exception. We're likely to see more of that. It’s almost a new normal where there's such a dependency on technology and digital systems in our economy and our lives. Just taking those steps to safeguard, to prevent a bad event happening, and then to limit not only the risk of it, but the cost of it, they’re the things that that we're urging people to do.

Tim Webster

Now, let's allay the fears of Elyse at Mascot. This discussion about small business and security, making me feel very uncertain about transacting digitally with small business. Unfortunately, it steers me to dealing with larger organisations that are better resourced to protect my data.

Now, just on the back of that text. Also, a text about - look, sometimes on the ABC you have to mention a commercial entity just to make a point – I've been asked about PayPal. I don't, but my wife does, and she's never had any issues with that. So, both texts are sort of going, oh, gee, what do I do?

Bruce Billson

There's some really good points in there. And frankly, those messages are reflecting the sentiment in the business community. There is a heightened anxiety and awareness of these things, but there are steps that you can take within your own control. I mentioned multi-factor authentication. Changing your passwords, trying not to have Timisfab12345 as your password is probably not ideal.

Even the software, you get a notification that there's an update for the software. Tim and listeners, often those updates have safeguards or patches to guard against weaknesses or vulnerabilities in the software. Back up your files. I was involved in building a bank to take on the big banks and we used to have a system, and I know it's at a larger scale, but we used to have a system that backed up almost continuously. So, if one of what frankly was thousands of attacks on our site every week, if one of those worked, we could just go back to the moment and all the data before it was compromised and boot it up again from there. So those backups become really important.

PayID, where you verify who the payer is. One of the things in small business that is a real cyber threat are what's called the invoice substitution scam. So, they’ll sneak into your accounting and invoicing system and you won't even know it. They’ll mess with a PDF, a saved file, and put someone else's banking numbers in there. So it all looks legit. You're expecting this invoice. You pay it on the basis of what's in it. All looks legit. And some nefarious character’s gone and changed the banking details so it whisks that payment off to another account. And before you know it, they've converted it to crypto and you can't track it down. So, ways around that is to verify who you are sending money to, to use things like PayID and those secured systems.

The other one is to consider eInvoicing, which is a much tighter, less vulnerable way of sending invoicing. So, there’s steps that you can take. But needing to be situationally aware is really important.

Tim Webster

Jamie opened a second account and transferred my money to that. So, on the credit card, he's got nothing. And this one from Chris. SMEs and large enterprises should open a business continuity plan for ransomware, including incremental offsite backups. It's critical. And then their own servers would help. That’s Chris. It’s clever.

Bruce Billson

Chris is legendary. I hope he doesn't think we've planted that in there. Chris is absolutely right. We found only about one in four have an up-to-date business continuity plan. And that's where you contemplate things that might knock your business off-course and then think about and plan for and have the bits and tools in place to recover and to make considered choices at that time.

That business continuity plan, it could and should address a cyber-attack. And it'll talk about backups and knowing who your providers are and where you've stored data and key contacts to help you get up and going again.

But it might be dealing with a natural disaster. It might be dealing with a health episode. If you and I were the breadwinners of our partnership Tim and one of us got sick, that's going to bump us off track as much as a cyber-attack.

So, Chris is right on the money there. Think about what might happen that could take you off the course you want to be on and what are you going to do about it. And that's a really great contribution from Chris. Top tip of the day.

Tim Webster

Good on you Chris, thank you. Jenny says you can buy a credit card at one of the big supermarkets for various amounts. You can buy it on the internet and that’s not using your own savings. Lot of this is very clever, Bruce.

Bruce Billson

And really practical too. Jenny's again, right on the money. She's talking about practical steps well within your ability to take them, that actually mitigates against the risk of something bad happening. And then if something bad does happen, you’ve really cauterised the cost and consequences of it. They’re fantastic ideas and I hope your listeners are getting something out of this discussion.

Tim Webster

They obviously are. And thank you very much Chris and Jenny.

Now, before the news rushes up at me. The government's looking at removing the exemption that allows small businesses to not, to not comply with privacy laws. How does business feel about that?

Bruce Billson

Not thrilled, but it's very linked to our earlier discussion. So, under the privacy laws, there's a dozen or so privacy principles that big businesses need to read, absorb, interpret and then apply to their workplace and their enterprise about how they're going to manage data that might be vulnerable or might compromise a person's identity and those sorts of things.

So, you can understand where they're coming from. For many years there's been an exemption for small business, with the exception of sort of health professionals and those sorts of things. There's been a review saying, look, the whole world has changed. We just had a great discussion about it. And so much of our day-to-day life sees businesses having data that's really important to us.

Now is that data is risky to your identity or your economic interest, there's got to be certain duties to make sure you take really good care of it or, in some cases, advice to get rid of data you don't need so that you remove that risk. What the government's talking about is simply removing the exemption so that a small business has got to do all the hoop jumping the big businesses do this.

We’re saying, hang on a minute. Again, a time-poor, resource-constrained small business. Let's get in with some really straightforward, easily implementable action steps that achieve that objective and have good data management that's of advantage to the business as well, not just a compliance obligation. And maybe open up new opportunities to link cyber security safeguards, good data management. It’s a more complicated world to be running a business. But let's not make it needlessly super, super, super complicated where the risk and responsibilities just are completely out of whack.

Tim Webster

Bruce, I'm very glad I'm just a humble old broadcaster. The things small business have to deal with. It's quite amazing, isn't it? Really?

Bruce Billson

We've been tracking this and saying to anyone who will listen, the risks and responsibilities of business ownership continue to grow, but the rewards aren’t growing with them.

We need to really think about that risk-reward balance and make sure being an enterprising man and woman is attractive, it's fun, it creates wealth and opportunity for those business-minded people and those employees that they make possible. And it brings such a vitality to our communities where you might not have a big corporate go to regional and rural New South Wales.

What do you think's driving these regional economies and towns? It's small and family businesses, and we need to make sure we celebrate that and look for ways to energise enterprise so there's more of it and better prospects of success into the future.

Tim Webster

And just while I’ve got 30 seconds, a texter says to both of us. Mick Jagger did backup vocals on You’re so Vain so it couldn't have been him. I think that's right. However, why couldn't it have been him?

Bruce Billson

My mail tells me it was Warren Beatty and let’s remember there was a time when Carly Simon and James Taylor had a thing. That didn't end well. It used to be Her Town Too. There’s a song for you.

Tim Webster

I think she said in an interview it was a conglomerate, so let's go with that. Thanks for your time.

Bruce Billson

Take care and best wishes to you and your listeners.

Tim Webster

And he does join us quite regularly, it’s great. Our Small Business and Family Enterprise Ombudsman Bruce Billson.

Small businesses can't be held to the same privacy standards

Olivia Pearce — Sun, 21 Jul 2024 23:48:45 +0000

Small businesses can't be held to the same privacy standards Olivia Pearce Mon, 07/22/2024 - 09:48

22 July 2024

Opinion piece by the Ombudsman Bruce Billson.

Originally published in the Canberra Times.

The public rightly expects any personal information collected and stored by businesses - whether they are large or small - will be protected and only used for the reasons it was provided.

It is not credible for small business to continue to have a blanket exemption from providing necessary and appropriate protection of the personal information they have about their customers, staff, and other businesses they are dealing with.

The digital world has added so much, creating new opportunities and risks and the responsibilities that accompany handling personal information need to evolve with the times.

That is why my office has been working with the Australian government to ensure what replaces the current small business privacy exemption and any new regulations, are right-sized and appropriate for small business, easy to implement with clear advice and timelines and will give confidence to customers.

While the exemption is no longer tenable, nor is it practical to directly apply legalistic privacy principles, which larger businesses have to work through, to a small business.

These are principles big business and government agencies need to decipher, interpret and apply to their circumstances, which most small or family businesses do not have the resources or staff to navigate and implement.

We welcomed the acknowledgement by Attorney-General Mark Dreyfus of the special circumstances and limited time and resources of small business, the need for support and a reasonable transition period and the need for an impact analysis of what changes would mean.

In the consultation sessions involving 91��Ƭ��, we have worked hard with officials to help them appreciate that small businesses do not already have and will not soon have mastery of the Privacy Act. Nor will many be able to navigate data-handling protocols to develop a privacy statement and data-breach response plan. This understanding is critical to appreciate how small businesses operate and then appropriately design regulations to allow small businesses to be compliant.

Small businesses and their representatives are alarmed the system being contemplated would require a small business to interpret legalistic principles and undertake onerous and unfamiliar activities - exactly what small business consultation participants said was the worst way forward.

It is important now the consultation by officials focuses on readily understandable and practical steps supported by actionable information to ensure small businesses are not drowned in a sea of legal technicality and complexity.

A small business isn't a shrink-wrap version of a big corporation. There's no regulatory team or dedicated privacy experts, on-staff lawyers or sophisticated compliance systems. Typically, it's the owner - at 10pm - grappling with this after they've been running their business all day.

Small businesses will need clear guidance on the active steps they can take to protect the information of their customers, their staff, and themselves and to fulfil their responsibilities. This may include procedural templates, information guides and checklists explaining the clear steps required to meet their privacy obligations.

The government needs to translate privacy principles into clear, sequential actions, calibrated to the degree of privacy risk prevalent in the business that clearly responds to the question that will be asked by a small business: What is it I need to do?

Small business fears about new and unfamiliar compliance obligations would be eased by the government making a clear statement that it will provide concise, relevant and accessible guidance and there will be a suitable transition period.

Small businesses know they can suffer if customers lose confidence in their ability to protect personal information and will benefit from increased certainty around the way information is being managed and protected. There is a compelling business benefit in sound and dependable 'information management' in this digital era of opportunities and risks.

A cyber hack or malicious information release is harmful at many levels, including for the targeted small business that irreparably damages the business's ability to operate. The latest chilling report from the Australian Cyber Security Centre is that a cyberattack happens every six minutes and when a small business is hit, on average they suffer a financial loss of $46,000.

Sadly, in many cases it ends up being an enterprise-ending event as they never recover or re-earn the confidence of employees, customers, suppliers and partners.

Government should also embed any privacy changes in a nest of information management issues for small and family business including cyber protection, a safe digital presence, managing opportunities and risks presented by digital platforms, eInvoicing, data custodianship and consumer data right participation. Each is being pursued in a siloed way with different (often unknown) lead agencies, bespoke duties and concerns about mounting complexity and compounding compliance obligations.

These all can and should be addressed as an integrated 'information management' initiative highlighting both the business benefits as well as any new obligation through a synchronised engagement with small businesses through familiar intermediaries. This is an opportunity for government to progress important policy objectives while assisting small businesses to deepen their digital engagement, bolster vital information management tools and even explore the responsible use of generative artificial intelligence.

Why can't we explore what requirements can be systematised and routinely actioned by small business in existing 'natural business systems' and already familiar digital platforms and software being used for accounting and single-touch-payroll reporting? Rather than sprinkle resources around in the hope it better equips small business, why not work with the likes of MYOB, Xero, Intuit and Hnry (just to name a few) to embed key duties and action steps into the software businesses use daily?

More than nine out of 10 businesses are currently exempt from the privacy laws. Getting this reform right offers a golden opportunity to extend protection for customers, staff and suppliers. But it will not succeed unless the real-world circumstances and limitations of time-poor and resource-constrained small businesses are honestly understood and embraced by policymakers to create a workable, mutually beneficial and secure system for everyone.

Ombudsman’s guide for small business - using social media securely

Emily Carter — Wed, 29 May 2024 07:06:38 +0000

Ombudsman’s guide for small business - using social media securely Emily Carter Wed, 05/29/2024 - 17:06

28 May 2024

Australian Small Business and Family Enterprise Ombudsman Bruce Billson interview with Gary Adshead.

Radio 6PR Perth

Subject: Ombudsman’s guide for small business - using social media securely

Gary Adshead

There’s a new guide going out in relation to businesses using social media and trying to use it securely and properly. Bruce Billson is the Australian Small Business and Family Enterprise Ombudsman, and he joins me now. G’day Bruce.

Bruce Billson

Gary, fab to be with you and your listeners?

Gary Adshead

Can you tell whether it's a major, growing trend and whether the reason is it's just cheaper in terms of using a social media platform than building your own website?

Bruce Billson

I can and I can share it just with you, Gary, and your Perth listeners. It is a growing trend because a lot of businesses their digital presence is their channel to the marketplace. This is a great way of engaging with a lot of eyeballs you probably wouldn't otherwise be able to connect with. It's an aggregation place where people come looking for a range of opportunities. And for you and I, if we were to start a business, it's a way of getting into business without necessarily having the expense and the tail risk of a commercial lease and a bricks and mortar type operation.

So, it's very, very attractive. Lots of people have this as an early-stage business strategy or even, dare I use the phrase, a side hustle. It can be quite lucrative, but it's also quite hazardous. We've seen a doubling in the number of businesses that have had a problem with those very same digital platforms. So, they're opening up new opportunities, new markets, new potential, but they're not without their hazards. And that's what we're trying to help people steer away from.

Gary Adshead

And those hazards, is it around the social media platform itself perhaps might be easier to intercept than a website, in terms of those people that want to hack and want to get their clients details or want to upset the business?

Bruce Billson

Yeah, it's that kind of thing where those platforms have quite a sophisticated back end, which is the business of the platform Gary. So, imagine you and I, we've got a presence. We want to put a series of ads out. It's connected up to our place where we can buy and sell and engage with our service. But it then feeds into some other part of that platform where it might be an ad spend about targeted placement of our message. And connected to that can be our account details for a credit card and then maybe even a gateway into other linked accounts that if someone can get into one part of that system, they may be able to cause havoc in other parts of the system.

And then you and I as a person relying on that channel to do our business, sits there and sees our business going down the drain. In some cases, bad experiences, even a change to the website itself. And in other cases that we've seen people using the advertising linked accounts to drain those accounts to promote something else or to even do something quite malicious to our own accounts.

So that's where things go badly, Gary, and then the frustration just gets worse. The websites say, hey, get into your account to tell us that you can't get into your account. You can imagine that's the ultimate run around.

Gary Adshead

That has happened to me. Do you have a view that consumers are more wary of the Facebook or the other platform social media sites, rather than an actual structured website. Do you have a view on that?

Bruce Billson

I think they could be. I'll give you an example, and I'm probably outing myself here. I was traveling back from a conference in Tasmania sitting on the tarmac, and I saw on one of these platforms a product that would take a little scratch out of the duco of your car's paintwork. I thought that looks alright. I'm a bit car proud. So, I went through the social media channel and tapped in and thought I was doing quite well, making that purchase. The following morning I'm out mowing the lawn and I get a call from my bank saying, Bruce, we've blocked this payment. Do you know who they are? I said, they seem to be a UK-based provider. They said, they might try and sell you stuff, but they sell the details of the financial information you provided to someone else to hack you. So, they've shut down the show.

That's a thing to be alert to. And that's also why these integrated platforms are so attractive for hackers wanting to do nefarious things.

Gary Adshead

Alright, so you've come up with a guide, some sort of structure of what you can do that gives you the best chance If you're setting up one of these sites on a platform. What's your top tips?

Bruce Billson

Well, top tips are probably don't go the hamburger with the lot. Create a profile that's got privacy settings and control and management settings that you're comfortable with and you can actually take charge of. Take out profiles or other connections which you just don't need because they can often be that that gateway that people could use to gain access to your page.

Make sure you can actually control what you're doing. In the event that someone else gets in there, you've still got control and it's about turning ads on and off. And I do this myself, Gary. I've got a credit card that's got a pretty low balance on it, which I use exclusively for transactions that are online. So, if someone does tap into it, they can only do so much damage. And if I was selling through one of these platforms and I had a linked credit card for advertising expenditure, I do the same thing. I'd have one that didn't have a behemoth credit limit on it. I’d have it quite low knowing that if something went wrong, you can shut that down quite quickly. Even keeping to one side, the details of your you are URL and your account details. And even having it recognise that you're on a mobile phone so that if your account’s locked down, you can at least use that other channel, your mobile phone, that's recognised by the platforms to try and seek a resolution.

And if that doesn't happen and you're a small family business and you're seeing your business compromised by this and you're getting no help from the platforms, reach out for us and we can possibly help.

Gary Adshead

That's actually a real point, isn't it, that it's very difficult to find – even though Meta have got offices here – it's actually pretty difficult to get through to someone, particularly if this is an emergency.

Bruce Billson

It is incredibly difficult. And what we've said to Meta and the other platforms is that you need to have decent internal dispute resolution mechanisms, decent support, like here's a novel idea, Gary, how about a human someone can talk to you? Here's an idea maybe that might take off, and when we deal with them, we sort of say, Look, we definitely want someone who's got the authority to fix some of these problems. Some of them we can get sorted out quite quickly. But even with the relationship we work hard to build so that small and family businesses can get support from us. Even at times, it can still take weeks. Think of it in a real retail sense, that's weeks that your door's not open, you're not engaging with your customers and that can be really damaging to your business as well.

Gary Adshead

And I'm not trying to sort of put a damper on people who want to use these platforms for their business, but we have examples and we spoke last week to someone who through their own Facebook marketplace. People are basically knocking on their door asking for the product that they bought and the person's going, dunno what you're talking about. And it's because of this whole fraudulent nature that Facebook Marketplace.

The person I spoke to last week, a former minister in the in the government here who found that he was getting knocks on the door because he thought he was being used. He can't get anything done through Meta. He can't get any resolution to it. He's just got to put a sign on his gate saying it's not me, I'm not selling well.

Bruce Billson

And Gary, we've said to these platforms, you need to do better otherwise lawmakers will regulate. And you end up with it with a whole lot of challenges and obligations and duties you might not want. But if you want to, you want to try and minimize that prospect, do better, do better. I mean, we've even seen examples where you've got businesses interacting well, and these platforms, you know, aspire to look after customers. But this isn't the way of looking after customers. And that's why we're urging these platforms to step up and do better themselves. And that way if people do get half a chance to sort these things out and still can't, we can step in and try and be of assistance and that's what we're doing. Those cases have doubled in the last year and we expect to see that trajectory continue.

Gary Adshead

If push comes to shove and someone set up a business through a platform and suddenly people have lost money on it, who's liable? If it's the platform itself that was too easily hacked in that instance? I mean, it is it you as a business person to have to pay up or do you have to go to Meta and say, look, this is through no fault of my own, and good luck trying to get them to deal with it.

Bruce Billson

This is precisely what the Parliament's navigating right now. Who is accountable? Where do those responsibilities sit? Are the platforms doing enough?

Well, let's do a real life parallel. If you are managing a shopping centre and there were shops in your shopping centre, what type of conduct would you permit to happen? You've got some accountability for trade and commerce in that space that you govern and you manage. Now, the argument is the same should apply to these digital platforms.

And even in some areas Gary, which your listeners need to be alert to, particularly small and family businesses that are relying on these platforms, even the capacity to do a recharge back to a credit card? There is a new scam happening and it's happening with customers sort of saying, look, I've just bought this valuable item off a website that you host as part of your digital platform. I don't think it's being delivered. I want my money back. And then people are actually claiming, falsely, that the material wasn't delivered and the poor old business is faced with, hang on, I've got all the documentation saying it was delivered, you should at least check this out before you unilaterally take some dough back that I've been paid for the product that I've delivered when you're actually being stooged about that.

So, it’s another thing to watch out for.

For your listeners, make sure you've got some way of validating delivery and fulfillment. Otherwise that represents another risk to small and family businesses relying on these platforms.

Gary Adshead

It's funny because I went to a online platform not long ago to buy something in particular. It never came. It was, I don't know, two and a half months. I rang them and eventually said, Look, just give me my money back because it's not coming. They went alright. It turned up yesterday.

Bruce Billson

You might be my case study.

Gary Adshead

They did say if it does happen to turn up, well, good luck to you and so be it. So, they're pretty straight up and down. So now I've got two of the same thing.

Bruce Billson

Well, let me check on that chargeback. When I’m giving those stories, I might need to say a customer - let's call him Gary.

Gary Adshead

Alright, if people want to know about how to set up some safety tips and be secure on their digital platforms through these particular platforms that they should be going to your website.

It's A, S for Sam, B for Bob, F for Fremantle, E for elephant, O dot gov dot au forward slash SM-securely. (www.asbfeo.gov.au/sm-securely) I really appreciate you coming on Bruce.

Bruce Billson

Happy to chat Gary. Best wishes to you and your listeners.

Gary Adshead

Bruce Billson there, the Australian Small Business and Family Enterprise Ombudsman.

MEDIA RELEASE: Small business Ombudsman's guide to using social media securely

Emily Carter — Tue, 28 May 2024 23:20:09 +0000

MEDIA RELEASE: Small business Ombudsman's guide to using social media securely Emily Carter Wed, 05/29/2024 - 09:20

28 May 2024

The Australian Small Business and Family Enterprise Ombudsman, Bruce Billson, has released a guide for small businesses using social media as their business platform, with tips to reduce the chances of being hacked.

“Using social media can be a valuable way to grow and increase awareness of your business with existing and potential new customers, but there are important precautions that must be taken” Mr Billson said.

“Digital platforms have fundamentally changed the way small businesses connect and sell to their customers. Yet, when there is a problem – such as having your account shut down after being hacked – solving it can be a nightmare.”

Mr Billson said the number of cases involving a small business having problem with a digital platform has more than doubled since July 2022 (up by 127 per cent) and continues to be one of the top requests for assistance that requires a case manager to get involved.

Two-thirds of the cases relate to Meta, the owner of Facebook and Instagram, and 75 per cent of those disputes last month alone were about getting access to an account after being hacked.

“In too many cases, when there is a problem, these platforms require a time and resource-poor small business to navigate the most elaborate maze of dead-ends and blockages,” Mr Billson said.

“One of the absurdities of the current situation is after being locked out of your account, you need to access your account to make a complaint. It’s the ultimate run around.”

Mr Billson said the free Guide to Using Social Media Securely include tips for small and family businesses about how to reduce the risk of being hacked and steps that can be taken with the digital platforms if you are.

The free guide is available on the 91��Ƭ�� website at www.asbfeo.gov.au/sm-securely

“We have helped many small and family businesses across various digital platforms to resolve their disputes, and this guide includes some simple cyber security tips and practices for small businesses to protect themselves,” he said.

“It is important to not overlook important security elements when operating on social media, including how to reduce the risk of your social media accounts being hacked.”

When setting up a business on a digital platform:

Create your profile with the level of privacy and settings you are comfortable with, and that you can easily control and manage.
Make sure you can remove other users or profiles connected to the account and can control their level of page access.
Confirm you can turn ads on or off and can remove or update advertising payment information.
Have your account/s set up so the platform can communicate with you either via an app, text message or email to help with account recovery (should you need it).
Create a separate payment method that is only used for your social media account/s and set a limit on spending.
Keep your account details in a safe place. If your account is hacked and/or disabled, you may need to provide the URL for all your pages/accounts; the phone number and email address; and a screenshot of your page/s with the business name.
Consider expanding your business online presence to more than one platform. If your account is disabled, you can use the other platforms to continue to operate and keep your business going.

“Treat your online business security like you would a shop, factory or your home,” Mr Billson said.

“You wouldn’t give a person you have just met the keys to your business or your house, so only give access to your business account to trusted individuals. And remember not all users require full admin access.

“If you are hacked, report your issue immediately to the platform and make sure you are actually communicating with the platform and not the hacker.”

Mr Billson called on digital platform providers to improve their dispute resolution services.

“Big Tech must do better by its small and family business customers that depend on them,” he said.

“Some of the delays experienced by small businesses have lasted many months and having someone else access and control their account is devastating for their business and their reputation,” he said.

“Small businesses watch helplessly as the financial and emotional damage occurs in real time with no ability to stop it. They lose customers and money, if a credit card linked to these accounts if being used by the hacker or the hacker uses the account to access and harm other customers.

“We are urgently calling for codified, dependable and easy to use internal dispute resolution processes to be adopted by these digital platforms that can get problems resolved quickly.

“They need to be backed up by a real person you can speak to when a problem can’t be easily fixed.

“And this can be supported by a promoted external dispute resolution service, such as 91��Ƭ��, for small businesses that can’t gain a satisfactory outcome when working directly with the platforms.

“Whether it is Facebook, Instagram, Uber, Amazon, eBay, Shopify or any of the many other digital platform providers, across the board there is an urgent need for them to do better by their small and family business customers.”

MEDIA CONTACT: 0448 467 178